How to connect mongoDB with client SSL certificate

veeramani ramu shared this question 3 years ago
Answered

Hi,

Am not able to connect my mongodb server with client SSL certificate. But i can connect from command prompt.

Comments (1)

photo
1

You should use x.509 Certificates to Authenticate Clients. Please see the attached picture.


Set the auth mode to X.509. And set the Certificate.


71bccd639c96022a5c43d3054f7607e5

photo
1

Hi,


Can you please clarify on below.

which on file you want me to upload in that certificate. because i have certificate name as "server.crt". But that file browser require .pem file. i used two files to start server as below.

mongod --auth --port <port number> --dbpath <data path> --enableEncryption --encryptionKeyFile <mongodb encryption keyfile> --sslMode requireSSL --sslPEMKeyFile <mongodb.pem> --sslCAFile <server.crt>


Now, can you please confirm that file.

photo
1

Hi,


Certificate is for sslPEMKeyFile <path to CA signed client PEM file>

Passphrase is for sslPEMKeyPassword < if the certificate-key file is encrypted >

Root CA is for sslCAFile <path to root CA PEM file>


mongo --ssl --sslPEMKeyFile <path to CA signed client PEM file> --sslPEMKeyPassword < if the certificate-key file is encrypted> --sslCAFile <path to root CA PEM file>

photo
1

Hi,

Am able to connect from command prompt. But my concern is not able to connect from mongo booster. am using below command.

server start cmd :

mongod --auth --port <port number> --dbpath <data path> --enableEncryption --encryptionKeyFile <mongodb encryption keyfile> --sslMode requireSSL --sslPEMKeyFile <mongodb.pem> --sslCAFile <server.crt>

client connection cmd:

mongo -host <abcd.domain.com> --port <port num> -u "user name" -p "password" --authenticationDatabase "admin" --ssl --sslPEMKeyFile <mongodb.pem> --sslCAFile <server.crt>


Can you please tell me, how to connect this server from mongo booster.


I user below steps to create those files using openssl..

$ which openssl

/usr/bin/openssl


$ openssl genrsa -des3 -passout pass:x -out server.pass.key 2048

Generating RSA private key, 2048 bit long modulus

...................+++

...........................+++

e is 65537 (0x10001)


$ openssl rsa -passin pass:x -in server.pass.key -out server.key

writing RSA key


$ rm server.pass.key


$ openssl req -new -key server.key -out server.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:IN

State or Province Name (full name) [Some-State]:*****

Locality Name (eg, city) []:***

Organization Name (eg, company) [Internet Widgits Pty Ltd]:***

Organizational Unit Name (eg, section) []:***

Common Name (e.g. server FQDN or YOUR name) []:****

Email Address []:*****@***.***


Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:XXXXXX

An optional company name []:***


$ openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt

Signature ok

subject=*************************

Getting Private key


$ cat server.key server.crt > mongodb.pem


$ ls

total 16

server.key

server.csr

server.crt

mongodb.pem

photo
1

hi,


Please see the attached pictures.

  1. Create a new connection, popup connection editor.
  2. click "Authentication" Tab
  3. Select "mode", "X.509"
  4. In the certification field, select "mongodb.pem" file. Your sslPEMKeyFile.
  5. Switch to "SSL" Tab , click "Use own ROOT CA File"
  6. Select "server.crt" file. Your sslCAFile.


5c3f1dc91cbe92f5c42e3af06e814370


70b96834f3382b1a6fba870003853d10

photo
1

Hi,

am getting below error, when uploading mongodb.pem file in certificate.

"Failed to extract the subject from the certificate file."

Can you please share if you have document to create those files using openssl or any...

Otherwise can you please share any sample file, which you are using

photo
1

If you generate a self-signed key for a development servers like this

$ openssl req -x509 -days 365 -nodes -newkey rsa:1024 \ -keyout key.pem -out cert.pem


You can hit enter as an answer to all the questions to set the default except this one:


Common Name (eg, YOUR name) []:
b0fead5226b38e4a842e0c1e53feb30a

photo
1

Hi,

I getting same string formate, when am uploading "server.crt" file, not .pem file

Can you please share the document to prepare those files. which commands to prepare all files with steps.

i mentioned all commands in above reply

photo
1

try:


 cat server.crt server.key > mongodb.pem

photo
1

Hi,

Now am getting auth failed error. Can you please help on this.

In server log : $external with mechanism MONGODB-X509: AuthenticationFailed:

There is no x.509 client certificate matching the user.

photo
1

I noticed that you did not use x.509 auth, you are using a basic user/password auth.

We misunderstood SSL and X.509 and can not support SSL + Basic User/Password Auth in the current version.


We worked out a new build to resolve this issue. please download and give it try.

http://s3.mongobooster.com/download/3.5/mongobooster-3.5.7-hotfix2.exe


0bf0a7e745b3fb08a01a8119b378c714


76015778bbdeff47486364a4c3abd2f4

photo
1

where do I specify the `--host` field in SSL tab?

photo
1

--host <hostname>Specifies the name of the host machine where the mongod or mongos is running.


/AbVqeyVMv+yZAAAAAElFTkSuQmCC

photo
1

Hi qinghai,

I have similar problem connecting to MongoDB with SSL. We need to pass the URL in the following format in the Docker file. The below URL is working.

mongo mongodb://<username>:<password>@host1:27017,host2:27017,host3:27017/?replicaSet=<replica_Name>&MONGO_AUTH_DB_OPTION=admin

Now, the SSL is enabled on MongoDB and we need to pass the SSL parameters. The below URL is not working.

mongo mongodb://<username>:<password>@host1:27017,host2:27017,host3:27017/?replicaSet=<replica_Name>&authSource=admin&ssl=true&sslPEMKeyFile=/etc/ssl/<host1>.pem&sslCAFile=/etc/ssl/<pem_name>.pem


Could you please advise how the connection can be made with SSL parameters.


Many Thanks

photo
1

Try command line parameters like below:

mongo --ssl --sslPEMKeyFile /etc/ssl/<host1>.pem --sslCAFile /etc/ssl/<pem_name>.pem mongodb://<username>:<password>@host1:27017,host2:27017,host3:27017/?replicaSet=<replica_Name>&authSource=admin

photo
1

I tried and it does not work.


This is the output when I tested from the command line.

===============================================================================================================================

[ec2-user@ip-xx-xx-xx-xx ~]$ mongo --ssl --sslPEMKeyFile /etc/ssl/<host1> --sslCAFile /etc/ssl/<CAFile_Name>.pem mongodb://<username>:<password>@<host1>:27017,<host2>:27017,<host3>:27017/?replicaSet=<replica_Name>&authSource=admin

[1] 13548

[ec2-user@ip-xx-xx-xx-xx ~]$ MongoDB shell version v4.0.5

connecting to: mongodb://<host1>:27017,<host2>:27017,<host3>:27017/?gssapiServiceName=mongodb&replicaSet=<replica_Name>

2019-01-10T08:36:53.737+0100 I NETWORK [js] Starting new replica set monitor for <replica_Name>/<host1>:27017,<host2>:27017,<host3>:27017

2019-01-10T08:36:53.786+0100 I NETWORK [js] Successfully connected to <host1>:27017 (1 connections now open to <host1>:27017 with a 5 second timeout)

2019-01-10T08:36:53.786+0100 I NETWORK [js] changing hosts to <replica_Name>/<host1>:27017,<host2>:27017,<host3>.:27017 from <replica_Name>/<host1>:27017,<host2>:27017,<host3>:27017

Implicit session: session { "id" : UUID("10e4ddca-1bb8-4d94-9983-8a098c5dbc2b") }

MongoDB server version: 4.0.2


[1]+ Stopped mongo --ssl --sslPEMKeyFile /etc/ssl/<host1> --sslCAFile /etc/ssl/<CAFile_Name>.pem mongodb://<username>:<password>@<host1>:27017,<host2>:27017,<host3>:27017/?replicaSet=<replica_Name>


===============================================================================================================================


When testing from terminal the connection Halts at "MongoDB server version: 4.0.2" and does not enter MongoDB shell. When I press return on my keypad, it will show "Stopped" and exist.


The following URL works,

mongo --ssl mongodb://<username>:<password>@<host1>:27017,<host2>:27017,<host3>:27017/?replicaSet=<replica_Name> --sslPEMKeyFile /etc/ssl/<host1> --sslCAFile /etc/ssl/<CAFile_Name>.pem

But, if I add authSource=admin after or before replicaSet then it will fail.


Would it be possible to form a single URL concatenating with all the parameters.

photo
1

It doesn't look like it's possible to form a single URL concatenating with all the parameters.

BTW, the above command line parameters works well to connect to my test SSL-enabled MongoDB server.

photo